It’s looking for other scripts too, like thumb.php, cropper.php, img.php and getimg.php.
My site doesn’t host any of those scripts, but when it gets scanned I notice there’s always a ‘blank’ referrer in the request. I’d have expected a referrer, at least.

This .htaccess rule is working fine for me:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^-?$ # if referrer empty (or faked empty)
RewriteCond %{REQUEST_URI} ((tim)?thumb|cropper|img|getimg)\.php$ [NC] # deny the request
RewriteRule .* – [F]

It catches all IPs (present and future, hopefully). I’ve tried a 301 back to the REMOTE_ADDRESS but it made no diff, they just keep coming.